IETF Logo Mail Archive

Re: [mpls] AD review of draft-ietf-mpls-ldp-hello-crypto-auth

Vero Zheng <vero.zheng@huawei.com> Fri, 18 April 2014 03:08 UTC

Return-Path: <vero.zheng@huawei.com>
X-Original-To: mpls@ietfa.amsl.com
Delivered-To: mpls@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 04CD31A01E8 for <mpls@ietfa.amsl.com>; Thu, 17 Apr 2014 20:08:25 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.472
X-Spam-Level:
X-Spam-Status: No, score=-4.472 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.272, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4bQ4cEHgbz4O for <mpls@ietfa.amsl.com>; Thu, 17 Apr 2014 20:08:20 -0700 (PDT)
Received: from lhrrgout.huawei.com (lhrrgout.huawei.com [194.213.3.17]) by ietfa.amsl.com (Postfix) with ESMTP id 516671A00CB for <mpls@ietf.org>; Thu, 17 Apr 2014 20:08:18 -0700 (PDT)
Received: from 172.18.7.190 (EHLO lhreml203-edg.china.huawei.com) ([172.18.7.190]) by lhrrg01-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id BFU69682; Fri, 18 Apr 2014 03:08:13 +0000 (GMT)
Received: from LHREML403-HUB.china.huawei.com (10.201.5.217) by lhreml203-edg.huawei.com (172.18.7.221) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 18 Apr 2014 04:06:31 +0100
Received: from SZXEMA403-HUB.china.huawei.com (10.82.72.35) by lhreml403-hub.china.huawei.com (10.201.5.217) with Microsoft SMTP Server (TLS) id 14.3.158.1; Fri, 18 Apr 2014 04:08:11 +0100
Received: from SZXEMA504-MBS.china.huawei.com ([169.254.8.15]) by SZXEMA403-HUB.china.huawei.com ([10.82.72.35]) with mapi id 14.03.0158.001; Fri, 18 Apr 2014 11:08:05 +0800
From: Vero Zheng <vero.zheng@huawei.com>
To: "adrian@olddog.co.uk" <adrian@olddog.co.uk>, 'Loa Andersson' <loa@pi.nu>, "draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org" <draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org>
Thread-Topic: [mpls] AD review of draft-ietf-mpls-ldp-hello-crypto-auth
Thread-Index: AQHPWi4DA6B4NIA6W0uW6/7VuK7Yn5sVQgqAgAFuc0A=
Date: Fri, 18 Apr 2014 03:08:04 +0000
Message-ID: <2EEA459CD95CCB4988BFAFC0F2287B5C5C80DE98@SZXEMA504-MBS.china.huawei.com>
References: <002301cf5743$b1a74af0$14f5e0d0$@olddog.co.uk> <534FB734.2020005@pi.nu> <03d801cf5a3e$4327fcc0$c977f640$@olddog.co.uk>
In-Reply-To: <03d801cf5a3e$4327fcc0$c977f640$@olddog.co.uk>
Accept-Language: zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.98.115]
Content-Type: multipart/alternative; boundary="_000_2EEA459CD95CCB4988BFAFC0F2287B5C5C80DE98SZXEMA504MBSchi_"
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: http://mailarchive.ietf.org/arch/msg/mpls/zorAZUf-eFXMYHud7ZfzuMkKRzM
Cc: "mpls@ietf.org" <mpls@ietf.org>
Subject: Re: [mpls] AD review of draft-ietf-mpls-ldp-hello-crypto-auth
X-BeenThere: mpls@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Multi-Protocol Label Switching WG <mpls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/mpls>, <mailto:mpls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/mpls/>
List-Post: <mailto:mpls@ietf.org>
List-Help: <mailto:mpls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/mpls>, <mailto:mpls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 18 Apr 2014 03:08:25 -0000

> RFC 6952 comes from draft-ietf-karp-routing-tcp-analysis-00.txt that was adopted by KARP in June 2011. That derives from draft-mahesh-bgp-ldp-msdp-analysis first posted in February 2011

(note that the discussion of LDP Hellos didn't make it into this document until -01 in May2011).



Adrian,

That is not correct. The discussion of LDP Hellos was in the document from the very beginning. The hello spoofing was discussed in both the discussion on current state/optimal state of the protocols in -00.

Obviously, the document authors care:)



Cheers, Vero



> -----Original Message-----

> From: mpls [mailto:mpls-bounces@ietf.org] On Behalf Of Adrian Farrel

> Sent: Thursday, April 17, 2014 9:09 PM

> To: 'Loa Andersson'; draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org

> Cc: mpls@ietf.org

> Subject: Re: [mpls] AD review of draft-ietf-mpls-ldp-hello-crypto-auth

>

> Hello,

>

> I don't think that is the history at all!

> This document started as draft-zheng-mpls-ldp-hello-crypto-auth in October

> 2010.

> Before that the issue with the Hello was discussed and batted around for a

> while.

> There is a risk with the Hello and it needs a solution.

> No issue with that, and I support this draft.

>

> RFC 6952 comes from draft-ietf-karp-routing-tcp-analysis-00.txt that was

> adopted by KARP in June 2011. That derives from

> draft-mahesh-bgp-ldp-msdp-analysis first posted in February 2011 (note that

> the discussion of LDP Hellos didn't make it into this document until -01 in May

> 2011).

>

> But who cares?

>

> RFC 6952 does not describe the attacks or their mitigations. It just notes that

> spoofing a Hello can have some bad effects.

>

> As a deployer, I need help to explain when I need to insist on having this feature

> implemented by my supplier (BTW, it looks like none of the suppliers is

> implementing it) and when I need to enable it. It seems to me that this feature

> is needed to protect against attacks (which 6952 claims have been seen in the

> wild), but that those attacks only arise in specific situations.

>

> Since the security mechanisms defined in this document are pretty

> heavy-weight (compare with simple text passwords so loved for IGP security :-)

> it would be great to get some help on this topic. Are all networks always

> exposed (if so it looks like a must-have feature)? Are the risks only significant

> for targeted LDP? Is the network safe if it applies access controls at the edges

> and assumes no subversion of routers? Does applying an access list at the LDP

> speakers provide protection against everything except address spoofing?

>

> Cheers,

> Adrian

>

> > -----Original Message-----

> > From: Loa Andersson [mailto:loa@pi.nu]

> > Sent: 17 April 2014 12:13

> > To: adrian@olddog.co.uk<mailto:adrian@olddog.co.uk>;

> draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org<mailto:draft-ietf-mpls-ldp-hello-crypto-auth.all@tools.ietf.org>

> > Cc: mpls@ietf.org<mailto:mpls@ietf.org>

> > Subject: Re: AD review of draft-ietf-mpls-ldp-hello-crypto-auth

> >

> > Adrian,

> >

> > Given my limited understanding of the security mechanisms, I

> > nevertheless have one question I need to ask.

> >

> > You say:

> >

> > On 2014-04-13 20:10, Adrian Farrel wrote:

> > > It would help if the document was a

> > > little clearer about which attacks it is defending against and why

> > > normal protection at the edge of the network is not considered

> > > enough for the

> former,

> > > and why a bad actor within the network would waste its time

> > > attacking LDP

> > when

> > > there is so much else it can do!

> >

> > My understanding is that this document was written as a response to

> > the risk analysis in RFC 6952. If I remember correctly you had a

> > number of questions, but also said that you had no objections after

> > having these question answered.

> >

> > Since RFC 6952 says we have a security hole that we need to close, you

> > said that you approve of that, we tried to fill the hole; how should I

> > understand the comment above? Do you just want another reference to

> > RFC 6952?

> >

> > /Loa

>

> _______________________________________________

> mpls mailing list

> mpls@ietf.org<mailto:mpls@ietf.org>

> https://www.ietf.org/mailman/listinfo/mpls

v2.23.0 | Report a Bug | By Email